[SECURITY] [API BREAKING CHANGE] Require logout token.

[lhc/web/wiklou.git] / includes / skins / SkinTemplate.php
diff --git a/includes/skins/SkinTemplate.php b/includes/skins/SkinTemplate.php

index 532ee51..203326f 100644 (file)
--- a/includes/skins/SkinTemplate.php
+++ b/includes/skins/SkinTemplate.php
@@ -46,7 +46,7 @@ class SkinTemplate extends Skin {
          * @var string For QuickTemplate, the name of the subclass which will
          *   actually fill the template.  Child classes should override the default.
          */
-       public $template = 'QuickTemplate';
+       public $template = QuickTemplate::class;
  
         public $thispage;
         public $titletxt;
@@ -524,15 +524,48 @@ class SkinTemplate extends Skin {
          * @return string
          */
         public function getPersonalToolsList() {
+               return $this->makePersonalToolsList();
+       }
+
+       /**
+        * Get the HTML for the personal tools list
+        *
+        * @since 1.31
+        *
+        * @param array $personalTools
+        * @param array $options
+        * @return string
+        */
+       public function makePersonalToolsList( $personalTools = null, $options = [] ) {
                 $tpl = $this->setupTemplateForOutput();
                 $tpl->set( 'personal_urls', $this->buildPersonalUrls() );
                 $html = '';
-               foreach ( $tpl->getPersonalTools() as $key => $item ) {
-                       $html .= $tpl->makeListItem( $key, $item );
+
+               if ( $personalTools === null ) {
+                       $personalTools = $tpl->getPersonalTools();
+               }
+
+               foreach ( $personalTools as $key => $item ) {
+                       $html .= $tpl->makeListItem( $key, $item, $options );
                 }
+
                 return $html;
         }
  
+       /**
+        * Get personal tools for the user
+        *
+        * @since 1.31
+        *
+        * @return array Array of personal tools
+        */
+       public function getStructuredPersonalTools() {
+               $tpl = $this->setupTemplateForOutput();
+               $tpl->set( 'personal_urls', $this->buildPersonalUrls() );
+
+               return $tpl->getPersonalTools();
+       }
+
         /**
          * Format language name for use in sidebar interlanguage links list.
          * By default it is capitalized.
@@ -594,21 +627,24 @@ class SkinTemplate extends Skin {
                         $page = Title::newFromText( $request->getVal( 'title', '' ) );
                 }
                 $page = $request->getVal( 'returnto', $page );
-               $a = [];
+               $returnto = [];
                 if ( strval( $page ) !== '' ) {
-                       $a['returnto'] = $page;
+                       $returnto['returnto'] = $page;
                         $query = $request->getVal( 'returntoquery', $this->thisquery );
+                       $paramsArray = wfCgiToArray( $query );
+                       unset( $paramsArray['logoutToken'] );
+                       $query = wfArrayToCgi( $paramsArray );
                         if ( $query != '' ) {
-                               $a['returntoquery'] = $query;
+                               $returnto['returntoquery'] = $query;
                         }
                 }
  
-               $returnto = wfArrayToCgi( $a );
                 if ( $this->loggedin ) {
                         $personal_urls['userpage'] = [
                                 'text' => $this->username,
                                 'href' => &$this->userpageUrlDetails['href'],
                                 'class' => $this->userpageUrlDetails['exists'] ? false : 'new',
+                               'exists' => $this->userpageUrlDetails['exists'],
                                 'active' => ( $this->userpageUrlDetails['href'] == $pageurl ),
                                 'dir' => 'auto'
                         ];
@@ -617,6 +653,7 @@ class SkinTemplate extends Skin {
                                 'text' => $this->msg( 'mytalk' )->text(),
                                 'href' => &$usertalkUrlDetails['href'],
                                 'class' => $usertalkUrlDetails['exists'] ? false : 'new',
+                               'exists' => $usertalkUrlDetails['exists'],
                                 'active' => ( $usertalkUrlDetails['href'] == $pageurl )
                         ];
                         $href = self::makeSpecialUrl( 'Preferences' );
@@ -664,9 +701,10 @@ class SkinTemplate extends Skin {
                                 $personal_urls['logout'] = [
                                         'text' => $this->msg( 'pt-userlogout' )->text(),
                                         'href' => self::makeSpecialUrl( 'Userlogout',
-                                               // userlogout link must always contain an & character, otherwise we might not be able
+                                               // Note: userlogout link must always contain an & character, otherwise we might not be able
                                                 // to detect a buggy precaching proxy (T19790)
-                                               $title->isSpecial( 'Preferences' ) ? 'noreturnto' : $returnto ),
+                                               ( $title->isSpecial( 'Preferences' ) ? [] : $returnto )
+                                               + [ 'logoutToken' => $this->getUser()->getEditToken( 'logoutToken', $this->getRequest() ) ] ),
                                         'active' => false
                                 ];
                         }
@@ -749,8 +787,10 @@ class SkinTemplate extends Skin {
                 if ( $selected ) {
                         $classes[] = 'selected';
                 }
+               $exists = true;
                 if ( $checkEdit && !$title->isKnown() ) {
                         $classes[] = 'new';
+                       $exists = false;
                         if ( $query !== '' ) {
                                 $query = 'action=edit&redlink=1&' . $query;
                         } else {
@@ -788,6 +828,7 @@ class SkinTemplate extends Skin {
                         'class' => implode( ' ', $classes ),
                         'text' => $text,
                         'href' => $title->getLocalURL( $query ),
+                       'exists' => $exists,
                         'primary' => true ];
                 if ( $linkClass !== '' ) {
                         $result['link-class'] = $linkClass;